SPDM-based firmware protection system and method
Abstract
According to embodiments of the present disclosure, a Security Protocol and Data Model (SPDM)-enabled device uses a device identity to provide, among other things, a SPDM-based firmware protection system and method that, upon execution by computer-readable instructions, receive, from a requesting device, a request to update the SPDM-enabled device with a software package, and obtain the software package from an online portal. The computer-readable instructions further encrypt the software package with an encryption key, encrypt the encryption key with a device identity certificate of the requesting device, and send the encrypted software package and encrypted encryption key to the requesting device.
Claims
exact text as granted — not AI-modifiedThe invention claimed is:
1. An Information Handling System (IHS) comprising:
a Security Protocol and Data Model (SPDM)-enabled device conforming to a SPDM specification; and
at least one memory coupled to at least one processor, the at least one memory having
program instructions stored thereon that, upon execution by the at least one processor, cause the IHS to:
receive, from a requesting device, a request to update the SPDM-enabled device
with a software package;
obtain the software package from an online portal;
encrypt the software package with an encryption key;
encrypt the encryption key with a device identity certificate of the requesting device; and
send the encrypted software package and encrypted encryption key to the requesting device;
wherein the request includes the device identity certificate, and wherein the device identity certificate conforms to a data structure as specified by the SPDM specification.
2. The IHS of claim 1 , wherein the requesting device comprises a Baseboard Management Controller (BMC) configured in the IHS.
3. The IHS of claim 2 , wherein the program instructions, upon execution, further cause the IHS to:
receive the encrypted software package and encrypted encryption key;
decrypt the encryption key with a private key corresponding to the device identity certificate of the requesting device;
decrypt the software package with the encryption key; and
update the SPDM-enabled device with the software package.
4. The IHS of claim 3 , wherein the instructions are performed in a data center, and the BMC is located in the data center.
5. The IHS of claim 3 , wherein the instructions are performed in the same IHS that the BMC is configured in.
6. The IHS of claim 1 , wherein the program instructions, upon execution, further cause the IHS to obtain the device identity certificate from slot 0 of the data structure.
7. The IHS of claim 1 , wherein the encryption key comprises a random encryption key.
8. The IHS of claim 1 , wherein the online portal is managed by a vendor of the IHS.
9. A SPDM-based firmware protection method comprising:
receiving, from a requesting device, a request to update a Security Protocol and Data
Model (SPDM)-enabled device with a software package, the SPDM-enabled
device conforming to a SPDM specification;
obtaining the software package from an online portal;
encrypting the software package with an encryption key;
encrypting the encryption key with a device identity certificate of the requesting device; and
sending the encrypted software package and encrypted encryption key to the requesting device;
wherein the request includes the device identity certificate, and wherein the device identity certificate conforms to a data structure as specified by the SPDM specification.
10. The SPDM-based firmware protection method of claim 9 , wherein the requesting device comprises a Baseboard Management Controller (BMC) configured in an Information Handling System (IHS), and wherein the SPDM-based firmware protection method further comprises:
receiving, by the BMC, the encrypted software package and encrypted encryption key;
decrypting, by the BMC, the encryption key with the device identity certificate of the requesting device;
decrypting, by the BMC, the software package with the encryption key; and
updating, by the BMC, the SPDM-enabled device with the software package.
11. The SPDM-based firmware protection method of claim 10 , performing the instructions wherein the SPDM-based firmware protection method is performed in a data center, and the BMC is located in the data center.
12. The SPDM-based firmware protection method of claim 10 , further comprising performing the instructions wherein the SPDM-based firmware protection method is performed in the same IHS that the BMC is configured in.
13. The SPDM-based firmware protection method of claim 10 , wherein the request includes the device identity certificate, wherein the device identity certificate conforms to a data structure as specified by the SPDM specification, and wherein the program instructions, upon execution, further cause the IHS to obtain comprising obtaining the device identity certificate from slot 0 of the data structure.
14. The SPDM-based firmware protection method of claim 9 , wherein the encryption key comprises a random encryption key.
15. The SPDM-based firmware protection method of claim 10 , wherein the online portal is managed by a vendor of the IHS.
16. A computer program product comprising a computer readable storage medium having program instructions stored thereon that, upon execution by an Information Handling System (IHS), cause the IHS to:
receive, from a requesting device, a request to update a Security Protocol and Data Model (SPDM)-enabled device with a software package, the SPDM-enabled device conforming to a SPDM specification;
obtain the software package from an online portal;
encrypt the software package with an encryption key;
encrypt the encryption key with a device identity certificate of the requesting device; and
send the encrypted software package and encrypted encryption key to the requesting device;
wherein the request includes the device identity certificate, and wherein the device identity certificate conforms to a data structure as specified by the SPDM specification.
17. The computer program product of claim 16 , wherein the requesting device comprises a Baseboard Management Controller (BMC) configured in the IHS, and wherein the program instructions, upon execution, further cause each of the BMC to:
receive the encrypted software package and encrypted encryption key;
decrypt the encryption key with a private key corresponding to the device identity certificate of the requesting device;
decrypt the software package with the encryption key; and
update the SPDM-enabled device with the software package.
18. The computer program product of claim 17 , wherein the instructions are performed in a data center, and the BMC is located in the data center.
19. The computer program product of claim 17 , wherein the instructions are performed in the same IHS that the BMC is configured in.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.